Advanced Techniques and Patterns
Building basic operators is one thing, but creating production-ready operators that can handle scale, security, and complex failure scenarios requires advanced techniques. I’ve learned these patterns through years of running operators in production environments where reliability isn’t optional.
Admission Webhooks for Validation and Mutation
One of the most powerful features you can add to your operator is admission webhooks. These allow you to validate or modify resources before they’re stored in etcd. I use them to enforce business rules, set defaults, and prevent configuration mistakes that could cause outages.
Admission webhooks come in two flavors: validating webhooks that can accept or reject resources, and mutating webhooks that can modify resources before they’re stored. The key insight is that webhooks run synchronously during the API request, so they can prevent bad configurations from ever entering your cluster.
Let’s build a validating webhook for our WebApp resources that enforces production-ready policies:
type WebAppValidator struct {
decoder *admission.Decoder
}
func (v *WebAppValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
webapp := &examplev1.WebApp{}
err := v.decoder.Decode(req, webapp)
if err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
// Enforce replica limits based on namespace
if webapp.Namespace == "production" && webapp.Spec.Replicas > 10 {
return admission.Denied("production workloads cannot exceed 10 replicas")
}
// Validate image registry
if !strings.HasPrefix(webapp.Spec.Image, "registry.company.com/") {
return admission.Denied("images must come from approved registry")
}
// Require resource limits in production
if webapp.Namespace == "production" && webapp.Spec.Resources.Limits == nil {
return admission.Denied("resource limits required in production")
}
return admission.Allowed("")
}
This webhook prevents common mistakes like using untrusted images or deploying without resource limits in production. The beauty is that these checks happen automatically - developers get immediate feedback when they try to apply invalid configurations.
Mutating webhooks are equally powerful for setting intelligent defaults. Here’s how to automatically configure security contexts and resource limits:
type WebAppMutator struct {
decoder *admission.Decoder
}
func (m *WebAppMutator) Handle(ctx context.Context, req admission.Request) admission.Response {
webapp := &examplev1.WebApp{}
err := m.decoder.Decode(req, webapp)
if err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
// Add default labels
if webapp.Labels == nil {
webapp.Labels = make(map[string]string)
}
webapp.Labels["managed-by"] = "webapp-operator"
webapp.Labels["version"] = "v1"
// Set security defaults for production
if webapp.Namespace == "production" {
webapp.Spec.SecurityContext = &corev1.SecurityContext{
RunAsNonRoot: &[]bool{true}[0],
RunAsUser: &[]int64{1000}[0],
AllowPrivilegeEscalation: &[]bool{false}[0],
}
}
marshaledWebApp, err := json.Marshal(webapp)
if err != nil {
return admission.Errored(http.StatusInternalServerError, err)
}
return admission.PatchResponseFromRaw(req.Object.Raw, marshaledWebApp)
}
The webhook configuration tells Kubernetes when to call your webhook:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionWebhook
metadata:
name: webapp-validator
webhooks:
- name: validate.webapp.example.com
clientConfig:
service:
name: webapp-operator-webhook
namespace: webapp-operator-system
path: /validate-webapp
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["example.com"]
apiVersions: ["v1"]
resources: ["webapps"]
admissionReviewVersions: ["v1"]
sideEffects: None
failurePolicy: Fail
The failurePolicy: Fail setting is crucial - it means that if your webhook is unavailable, resource creation will fail rather than bypassing validation. This prevents security policies from being accidentally circumvented.
Performance Optimization Strategies
As your operator manages more resources, performance becomes critical. I’ve seen operators that work fine with a few resources but become bottlenecks when managing hundreds or thousands of objects. The key is understanding how controller-runtime works and optimizing accordingly.
The most important optimization is controlling what triggers reconciliation. By default, any change to a watched resource triggers reconciliation, but you often only care about specific changes:
func (r *WebAppReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&examplev1.WebApp{}).
Owns(&appsv1.Deployment{}).
WithOptions(controller.Options{
MaxConcurrentReconciles: 5,
}).
WithEventFilter(predicate.Funcs{
UpdateFunc: func(e event.UpdateEvent) bool {
oldWebApp := e.ObjectOld.(*examplev1.WebApp)
newWebApp := e.ObjectNew.(*examplev1.WebApp)
// Only reconcile on spec changes, not status updates
return !reflect.DeepEqual(oldWebApp.Spec, newWebApp.Spec)
},
GenericFunc: func(e event.GenericEvent) bool {
return false // Skip generic events
},
}).
Complete(r)
}
This filter prevents unnecessary reconciliation when only the status changes, which can significantly reduce CPU usage in busy clusters. Another critical optimization is using field indexing for efficient lookups. When you need to find resources based on specific fields, indexes can dramatically improve performance:
func (r *WebAppReconciler) SetupWithManager(mgr ctrl.Manager) error {
// Index WebApps by image for efficient lookups
if err := mgr.GetFieldIndexer().IndexField(context.Background(), &examplev1.WebApp{}, "spec.image", func(rawObj client.Object) []string {
webapp := rawObj.(*examplev1.WebApp)
return []string{webapp.Spec.Image}
}); err != nil {
return err
}
return ctrl.NewControllerManagedBy(mgr).
For(&examplev1.WebApp{}).
Complete(r)
}
// Now you can efficiently find all WebApps using a specific image
func (r *WebAppReconciler) findWebAppsByImage(ctx context.Context, image string) ([]examplev1.WebApp, error) {
var webapps examplev1.WebAppList
err := r.List(ctx, &webapps, client.MatchingFields{"spec.image": image})
return webapps.Items, err
}
This is particularly useful when you need to implement policies across multiple resources or coordinate updates based on shared characteristics.
Leader Election and High Availability
Production operators need to handle failures gracefully, which means running multiple replicas with leader election. Only one instance should actively reconcile resources at a time, but if that instance fails, another should take over quickly.
The controller-runtime framework makes this straightforward:
func main() {
mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
Scheme: scheme,
MetricsBindAddress: ":8080",
Port: 9443,
LeaderElection: true,
LeaderElectionID: "webapp-operator-lock",
LeaseDuration: &[]time.Duration{15 * time.Second}[0],
RenewDeadline: &[]time.Duration{10 * time.Second}[0],
RetryPeriod: &[]time.Duration{2 * time.Second}[0],
})
if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
setupLog.Error(err, "problem running manager")
os.Exit(1)
}
}
The leader election parameters control how quickly failover happens. Shorter lease durations mean faster failover but more network traffic. I typically use 15-second leases for production operators, which provides a good balance between responsiveness and efficiency.
Security and RBAC Best Practices
Security is often an afterthought in operator development, but it should be designed in from the beginning. The principle of least privilege applies - your operator should only have the permissions it absolutely needs.
Here’s a comprehensive RBAC configuration that follows security best practices:
apiVersion: v1
kind: ServiceAccount
metadata:
name: webapp-operator
namespace: webapp-operator-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: webapp-operator-role
rules:
# Only the permissions actually needed
- apiGroups: ["example.com"]
resources: ["webapps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["example.com"]
resources: ["webapps/status"]
verbs: ["get", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Events for debugging
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
Notice how we separate the status permissions and only grant access to the specific resources the operator manages. This prevents the operator from accidentally modifying resources it shouldn’t touch.
For the operator’s own pods, use restrictive security contexts:
func (r *WebAppReconciler) createSecureDeployment(webapp *examplev1.WebApp) *appsv1.Deployment {
securityContext := &corev1.SecurityContext{
RunAsNonRoot: &[]bool{true}[0],
RunAsUser: &[]int64{1000}[0],
AllowPrivilegeEscalation: &[]bool{false}[0],
ReadOnlyRootFilesystem: &[]bool{true}[0],
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
}
// Apply to all containers in the deployment
return deployment
}
These settings prevent privilege escalation attacks and limit the blast radius if the operator is compromised.
Custom Metrics and Observability
Monitoring your operator is crucial for understanding its behavior and diagnosing issues. I always include custom metrics that track both technical performance and business-level outcomes.
Here’s how to add Prometheus metrics to your operator:
var (
webappReconcileTotal = prometheus.NewCounterVec(
prometheus.CounterOpts{
Name: "webapp_reconcile_total",
Help: "Total number of WebApp reconciliations",
},
[]string{"namespace", "name", "result"},
)
webappReconcileDuration = prometheus.NewHistogramVec(
prometheus.HistogramOpts{
Name: "webapp_reconcile_duration_seconds",
Help: "Duration of WebApp reconciliations",
Buckets: []float64{0.1, 0.5, 1.0, 2.5, 5.0, 10.0},
},
[]string{"namespace", "name"},
)
)
func (r *WebAppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
start := time.Now()
defer func() {
webappReconcileDuration.WithLabelValues(req.Namespace, req.Name).Observe(time.Since(start).Seconds())
}()
// ... reconciliation logic ...
webappReconcileTotal.WithLabelValues(req.Namespace, req.Name, "success").Inc()
return ctrl.Result{}, nil
}
The key is choosing metrics that help you understand both performance (how long reconciliation takes) and correctness (how often it succeeds). I also include business metrics like the number of applications deployed or configuration changes applied.
Error Handling and Circuit Breakers
Robust error handling is what separates production-ready operators from prototypes. You need to handle both transient failures (network timeouts, API server overload) and permanent failures (invalid configurations, missing dependencies) differently.
Here’s a pattern I use for implementing retry logic with exponential backoff:
func (r *WebAppReconciler) reconcileWithRetry(ctx context.Context, webapp *examplev1.WebApp, maxRetries int) error {
var lastErr error
for attempt := 0; attempt < maxRetries; attempt++ {
if err := r.reconcileDeployment(ctx, webapp); err != nil {
lastErr = err
// Check if this is a retryable error
if !isRetryableError(err) {
return err // Don't retry permanent failures
}
// Exponential backoff
backoff := time.Duration(attempt+1) * time.Second
time.Sleep(backoff)
continue
}
return nil // Success
}
return fmt.Errorf("failed after %d attempts: %w", maxRetries, lastErr)
}
func isRetryableError(err error) bool {
// Retry on network errors, server errors, but not client errors
if errors.IsServerTimeout(err) || errors.IsServiceUnavailable(err) {
return true
}
if errors.IsBadRequest(err) || errors.IsNotFound(err) {
return false
}
return true
}
This approach prevents your operator from getting stuck on transient failures while avoiding infinite retry loops on permanent problems.
In Part 5, we’ll focus on production deployment strategies, comprehensive monitoring setups, and the operational practices that keep operators running reliably in production environments. You’ll learn how to deploy operators safely, monitor their health, and troubleshoot issues when they arise.